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Verifiable secret sharing (VSS) is designed to allow parties to collaborate to keep secrets. We 
describe here a method of fabricating false secret shares that appear to other parties to be legitimate, 
which can prevent assembly of the decryption key. This vulnerability affects VSS schemes using 
verification commitments bounded to a finite field. 


Verifiable secret sharing (VSS) schemes [U-Ql rely on the assumption that parties can not reliably fabricate false 
secret shares which pass the verification process. Here, we show that, for certain VSS implementations that use 
verification commitments bounded to a finite field, this assumption is incorrect. 

Let there be n shares of a secret and a threshold of t secret shares required to get the secret. Choose a finite field 
Z p and a generator g £ Z p . Each party associates with a unique non-zero identity i £ Z p and creates a secret random 
polynomial, 

Pi (~) = di,0 + &i,lZ + ' • ' + ai } t—\Z t 1 , (1) 

with coefficients a,;,j £ Z p , and decryption key given by a^o- Each party also computes verification commitments 

( c i,j)i 


c i,j = g ai,j mod p , (2) 

which are made available to all parties. 

Next, each party computes and sends the fc th secret share, P(k), to party k. Party k checks the incoming share 
against the sending party’s verification commitments: 
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Party k assumes the share received from party i is legitimate if it matches the verification commitments (available to 
all parties). 

We now describe the vulnerability. First, note the following: 

1. The polynomial interpolation for recovering decryption key parts must occur in the field Z p . 


2. The multiplicative order of g divides p — 1. 

Suppose one of the parties is an adversary. The adversary creates polynomial Pi and posts verification commitments 
dj. The adversary sends false secret shares Qk ^ Pifk ) such that 

Qk = Pi(k ) (mod p - 1). (4) 

The false shares check out, gQ* = g p h fc ); however, attempts to recover Pi( 0) using Qk will most likely fail. The 
adversary can now prevent the decryption key from being assembled simply by not sharing P,(0). 

In principle, this problem is avoidable by using verification commitments which are not bounded to the finite field. 
For example, we are free to choose commitments c, ( , ? = g ai ’ j . However, note that a,;. ? is then on the order of p. Since 
this is at least 1024 bits, there is no practical way to store these verification commitments. 
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